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Abstract 

Rotation  symmetric  ( RotS)  Boolean  functions  have  been  used  as  components  of  dif¬ 
ferent  cryptosystems.  This  class  of  Boolean  functions  are  invariant  under  circular 
translation  of  indices.  Using  Burnside’s  lemma  it  can  be  seen  that  the  number  of 
n- variable  rotation  symmetric  Boolean  functions  is  29n,  where  gn  =  ^  X^|n  4>(t )  2 t , 
and  </>(.)  is  the  Euler  phi- function.  In  this  paper,  we  find  the  number  of  short  and 
long  cycles  of  elements  in  Wf,  having  fixed  weight,  under  the  RotS  action.  As  a 
consequence  we  obtain  the  number  of  homogeneous  RotS  functions  having  algebraic 
degree  w.  Our  results  make  the  search  space  of  RotS  functions  much  reduced  and  we 
successfully  analyzed  important  cryptographic  properties  of  such  functions  by  ex¬ 
ecuting  computer  programs.  We  study  RotS  bent  functions  up  to  10  variables  and 
observe  (experimentally)  that  there  is  no  homogeneous  rotation  symmetric  bent 
function  having  degree  >  2.  Further,  we  studied  the  RotS  functions  on  5,6,7  vari¬ 
ables  by  computer  search  for  correlation  immunity  and  propagation  characteristics 
and  found  some  functions  with  very  good  cryptographic  properties  which  were  not 
known  earlier. 
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1  Introduction 


In  [10],  Pieprzyk  and  Qu  studied  some  functions,  which  they  called  rotation 
symmetric  ( RotS )  as  components  in  the  rounds  of  a  hashing  algorithm.  This  is 
a  desirable  property  when  efficient  evaluation  of  the  function  is  important,  for 
instance  in  the  implementation  of  MD4,  MD5  or  HAVAL,  since  one  can  reuse 
evaluations  from  previous  iterations.  It  turns  out  that  a  degree  2  RotS  function 
on  n  variables  takes  ^=^  +  6(m  —  1)  operations  (additions  and  multiplications) 
to  evaluate  in  m  consecutive  rounds  of  a  hashing  algorithm.  In  [8]  the  authors 
showed  how  to  break  in  less  than  20  mili-seconds  a  block  cipher  that  employs 
quadratic  Boolean  functions  as  its  S-boxes  even  if  it  is  provably  secure  against 
linear  and  differential  attacks.  This  suggests  that  one  should  employ  higher 
degree  functions  in  cryptographic  algorithms.  Moreover,  it  is  clear  that  to 
protect  from  linear  and  differential  cryptanalysis,  one  needs  functions  with 
high  nonlinearity.  The  study  started  by  Pieprzyk  and  Qu  [10]  on  the  2-degree 
RotS  functions  was  continued  in  [5] ,  the  authors  investigating  these  in  the  even 
dimensions.  It  has  been  shown  that  the  truth  table  of  an  n- variable  degree 
2  RotS  function  can  be  displayed  using  only  2n_3  —  2  operations  (additions 
and  multiplications)  as  opposed  to  |_^qr^J2n,  using  the  normal  form.  In  [5] 
some  results  about  the  weights  and  nonlinearity  of  degree  3  RotS  functions 
have  been  proved  and  it  was  conjectured  that  the  weight  and  nonlinearity  of 
any  degree  3  (homogeneous)  RotS  function  are  equal.  Moreover,  it  was  shown 
that  the  truth  table  of  a  degree  3  RotS  function  can  be  displayed  using  only 
2n~2  +  2n_4  +  2n_5  —  3  •  22  operations  (additions  and  multiplications). 

It  is  clear  that  there  are  22”  Boolean  functions  on  n  variables  and  under  no 
circumstances  (with  current  computational  power)  it  is  possible  to  search  them 
exhaustively  for  n  >  7  to  check  some  desired  property.  Thus  before  analyzing 
the  RotS  Boolean  functions  the  immediate  question  is:  how  many  rotation 
symmetric  functions  are  there?  Using  Burnside’s  lemma,  it  is  easy  to  see  that 
the  number  of  rotation  symmetric  Boolean  functions  is  a  very  small  fraction 
of  the  total  number  of  Boolean  functions  and  it  is  possible  to  search  the  space 
with  much  better  efficiency.  In  fact  the  rotation  symmetric  Boolean  functions 
has  been  studied  earlier  in  [6],  where  the  authors  studied  the  nonlinearity  of 
these  Boolean  functions  up  to  9  variables. 

Before  proceeding  further  let  us  present  some  introductory  material  for  better 
understanding.  Let  Vn(=  FJ) )  be  the  vector  space  of  dimension  n  over  the  two 
element  field  F2.  Let  Xi  G  {0, 1}  for  1  <  i  <  n.  For  1  <  k  <  n,  we  define 


Pn(xi]  =  xi+k  if  i  +  k  <  n, 

=  xi+k-n  if  i  +  k  >  n. 
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Let  (xi,  X2,  ■  ■  ■ ,  xn-i,  xn)  G  Yn.  Then  we  extend  the  definition  as 

Pn(x  1,  x2,  •  •  •  ,  X„-1,  Xn)  =  (p^(xi),  Pn(^2),  •  •  •  ,  Pn(xn-l),  PnM). 


Table  1 

Truth  table  of  Boolean  functions. 

A  Boolean  function  on  n  variables  may  be  viewed  as  a  mapping  from  Vn 
into  Vi.  We  interpret  a  Boolean  function  f(x i,...,xn)  as  the  output  col¬ 
umn  of  its  truth  table ,  i.e.,  a  binary  string  of  length  2”,  /  =  [/(0,  0, ...  ,0), 
/( 1,  0, . . . ,  0),  /( 0, 1, . . . ,  0), . . . ,  /(l,  1, . . . ,  1)].  In  Table  1  we  present  truth  ta¬ 
bles  of  4-variable  Boolean  functions. 

Definition  1  A  Boolean  function  f  is  RotS  if  and  only  if  for  any  (x\, . . . ,  xn)  G 
V 

v  n? 

f(Pn(X  l,---,Xn))  =  f(x  i,...,Xn) 

for  any  1  <  k  <  n. 

Note  that  there  are  2"  different  input  values  corresponding  to  a  function. 
From  the  above  definition,  it  is  clear  that  for  RotS  functions,  the  function 
/  possesses  the  same  value  corresponding  to  each  of  the  subsets  generated 
from  the  rotational  symmetry.  As  example,  for  n  =  4,  one  gets  the  following 
partitions  : 

{(0,  0,  0,  0)}, 

{(0,  0,  0,  1),  (0,  0,  1,  0),  (0,  1,  0,  0),  (1,  0,  0,  0)}, 

{(0,  0,  1,  1),  (0,  1,  1,  0),  (1,  0,  0,  1),  (1,  1,  0,  0)}, 

{(0,  1,  0,  1),  (1,  0,  1,  0)}, 

{(0,  1,  1,  1),  (1,  0,  1,  1),  (1,  1,  0,  1),  (1,  1,  1,  0)  }, 

{(1,  1,  1,  !)}■ 

Therefore,  there  are  6  different  subsets  which  partition  the  16  input  patterns 
and  any  4- variable  RotS  Boolean  function  can  have  a  specific  value  correspond¬ 
ing  to  each  subset.  Thus  there  are  26  =  64  rotation  symmetric  functions  on 
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4  variables.  In  Table  1,  the  left  one  is  a  function  which  is  not  RotS,  whereas, 
the  right  one  is  a  RotS  function  (each  different  subset  is  numbered).  Note  that 
there  are  6  different  subsets  and  two  of  them  are  of  size  1,  one  is  of  size  2  and 
the  rest  three  are  of  size  4. 

Let  us  denote 


Gn{x i, . . .  ,xn)  =  {pkn(x i, . . .  ,xn),  for  1  <  k  <  n), 

that  is,  the  orbit  of  (aq, . . . ,  xn)  under  the  action  of  pkn,  1  <  k  <  n.  It  is  clear 
that  Gn{x i, . . . ,  xn )  generates  a  partition  in  the  set  Vn.  Let  gn  be  the  number 
of  such  partitions.  As  example  g4  =  6.  Given  (aq, . . .  ,xn ),  a  function  is  RotS 
if  it  takes  the  same  value  for  all  the  inputs  in  Gn(x i, . . .  ,xn).  It  is  clear  that 
there  are  29n  number  of  n-variable  RotS  Boolean  functions.  From  Burnside’s 
lemma,  we  get  that  gn  =  ^  J2t\n  4>if)  (see  Section  2).  In  Table  2,  we  present 
the  first  few  values  of  gn. 


n 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

9n 

2 

3 

4 

6 

8 

14 

20 

36 

60 

108 

188 

352 

632 

1182 

2192 

4116 

Table  2 

The  values  of  gn ,  1  <  n  <  16. 


For  binary  strings  Si,  £2  of  the  same  length  A,  we  denote  by  #(S'i  =  S'2) 
(respectively,  #(S'i  7^  S'2)),  the  number  of  places  where  Si  and  S2  are  equal 
(respectively,  unequal).  The  Hamming  distance  between  Si,  S'2  is  d{Si,S2 )  = 
if  (Si  7^  S'2).  We  will  also  use  the  notation  wd(S\,  S2 )  =  if  (Si  =  S2)  —  if  (Si  7^ 
S'2).  Note  that,  wd(S  1,  S2)  =  A  — 2  d(S  1,  S'2).  Also,  the  Hamming  weight ,  wt(S), 
or  simply  the  weight  of  a  binary  string  S'  is  the  number  of  ones  in  S'.  An  n- 
variable  function  /  is  said  to  be  balanced  if  its  output  column  in  the  truth 
table  contains  equal  number  of  0’s  and  l’s  (i.e.,  wt(f)  =  2n~1). 

Let  us  denote  the  addition  operator  over  GF(2)  by  +.  An  n-variable  Boolean 
function  f(x  1, . . .  ,xn )  can  be  seen  as  a  multivariate  polynomial  over  GF( 2). 
More  precisely,  /(aq, . . . ,  xn )  can  be  written  as  Oo+Z^L]  aixi+J2i<i<j<n  ctijXiXj+ 
■  ■  ■  +  di2...nXiX2  . . .  xn,  where  the  coefficients  a0,  a^,  a^, . . . ,  ai2...n  G  {0, 1}.  This 
representation  of  /  is  called  the  algebraic  normal  form  (ANF)  of  /.  The  num¬ 
ber  of  variables  in  the  highest  order  product  term  with  nonzero  coefficient  is 
called  the  algebraic  degree,  or  simply  the  degree  of  /.  A  Boolean  function  is 
said  to  be  homogeneous  if  its  ANF  contains  terms  of  the  same  degree  only. 

Functions  of  degree  at  most  one  are  called  affine  functions.  An  affine  func¬ 
tion  with  constant  term  equal  to  zero  is  called  a  linear  function.  The  set  of 
all  n-variable  affine  (respectively  linear)  functions  is  denoted  by  A{n )  (re¬ 
spectively  L(n)).  The  nonlinearity  of  an  n-variable  function  /  is  nl(f)  = 
ming£A{n)(d{f,  g)),  i.e.,  the  distance  from  the  set  of  all  n-variable  affine  func¬ 
tions. 
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Clearly  one  can  extend  pn  on  monomials  of  the  form  x^Xi2 . . .  Xir  Let  us  take 
an  example  of  4-variable  RotS  function.  If  the  term  x4x2x3  is  present  in  the 
ANF,  then  the  terms  x2x3x4,  x3x4x4,  x4x4x2  must  be  present  in  the  ANF.  Thus 
we  can  naturally  extend  the  notation  as  p^ix^x^  . . .  x^)  =  p^Xif) /4(ay2) . . .  p^ixif). 
Similarly,  in  this  case  Gn(xixxl2 . . .  xH )  =  {pknfxixXi2  . . .  xt/),  for  1  <  k  <  n}. 

We  select  the  representative  element  of  G^x^x^  . .  .x^)  as  the  lexicographi¬ 
cally  first  element.  As  example,  the  representative  element  of  {x4x2x3,  x2x3x4, 
x3x4x4 ,  x4x 1  x2 }  is  x4x2x3.  Note  that  it  is  also  clear  that  the  term  x\  will  al¬ 
ways  exist  in  the  lexicographically  first  element  (the  representative  element) 
if  we  consider  a  non  constant  rotation  symmetric  Boolean  function. 

We  now  define  the  short  algebraic  normal  form  (SANF)  of  a  RotS  function.  A 
RotS  function  f(x  1, . . .  ,xn )  can  be  written  as 


a 0  +  cqaq  +  a,\jX\Xj  +  . . .  +  ai2...n%iX2  •  •  •  xn , 

where  the  coefficients  ao,  ai,  aij, . . . ,  ai2...n  G  {0,1},  and  the  existence  of  a 
representative  term  X\ Xi2  ■  ■  ■  x%l  implies  the  existence  of  all  the  terms  from 
Gn(x ixi2 . .  .Xif)  in  the  ANF.  This  representation  of  /  is  called  the  short  al¬ 
gebraic  normal  form  (SANF)  of  /.  Note  that  the  number  of  terms  in  each 
summation  (X))  corresponding  to  same  degree  terms  depends  on  the  number 
of  short  and  long  cycles.  As  an  example,  let  us  consider  the  ANF  of  a  4- variable 
RotS  Boolean  function  x\  +  x2  +  x3  +  x4  +  x4x2x3  +  x2x3x4  +  x3x4x4  +  x4xix2- 
Its  SANF  is  X\  +  XiX2x3. 

As  we  have  already  mentioned,  a  Boolean  function  is  said  to  be  homogeneous 
if  its  algebraic  normal  form  contains  terms  of  same  degree  only.  It  is  an  impor¬ 
tant  question  to  settle  the  enumeration  of  homogeneous  RotS  functions,  which 
we  present  in  the  next  section  (Subsection  2.2).  Further  this  helps  us  in  reduc¬ 
ing  the  search  space  for  RotS  functions  and  we  develop  computer  programs  to 
explore  bent  functions  and  other  cryptographically  significant  Boolean  func¬ 
tions  in  this  set  (see  Section  3).  LIsing  the  computer  search  in  a  reduced  space, 
we  found  the  exact  count  of  8,48,  and  15104,  RotS  bent  functions  on  4,6,  and 
8  variables  respectively.  Homogeneous  bent  functions  have  recently  got  a  lot 
of  attention  in  literature  [2,3,12,17].  It  is  interesting  to  note  that  we  could 
not  ford  any  homogeneous  RotS  bent  functions  having  degree  >  2  up  to  10 
variables. 

Filiol  and  Fontaine  [6]  discussed  the  set  of  idempotent  Boolean  functions  in 
an  experimental  setting.  Let  B  =  (b\, . . .  ,bn)  a  basis  of  Fg  (which  is  iden¬ 
tified  with  F2«).  An  idempotent  f  is  a  Boolean  function  on  F2™  that  satis¬ 
fies  f2  =  /.  Define  the  Mattson-Solomon  (MS)  polynomial  by  MSf(Z)  = 
EU2  AjZ2nM-\  where  Aj  =  Xa=o 1  /(a*)a*J  (a  is  a  primitive  element  of 
F 2n )  •  LIsing  the  representation  /  =  XffeF*n  / (g)(9)  (in  the  multiplicative  al¬ 
gebra  F 2 [F 2n ,  x]),  we  get  that  /  is  an  idempotent  iff  f(g)  =  f(g2),  Vg;  the 
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coefficients  of  the  MS  polynomial  belong  to  Fo;  Aj  =  Ak  for  all  k  in  the  2- 
cyclotomic  class  of  j  ({j,  2 j, . . . ,  2n~1j});  the  ANF  of  /  (using  a  normal  basis 
(7,  y2, . . . ,  y2"  )  remains  invariant  under  circular  shift.  This  gives  that  the 
corpus  of  idempotents  is  the  same  as  the  class  of  rotation  symmetric  Boolean 
functions.  For  n  =  5,  7,  they  found  idempotents  of  highest  nonlinearity  (12, 
respectively  56)  of  degrees  2,  3  (for  n  —  5),  and  degrees  2,  3, 4,  5,  6  (for  n  —  7). 
For  n  —  6,8  they  found  all  idempotents  of  highest  nonlinearity  (28,  respec¬ 
tively  120),  of  degrees  2,3,  respectively,  2,3,4.  They  were  not  able  to  find 
all  idempotent  functions  for  n  =  8,  though.  Finally,  for  n  =  9,  they  found 
1142395  functions  (up  to  equivalence)  with  nonlinearity  240,  some  of  which 
are  balanced,  of  degrees  2, 3, 4,  5,  6,  7. 

The  search  of  [6]  considers  nonlinearity  only.  Our  further  attempt  to  search 
the  cryptographically  significant  Boolean  functions  on  5,  6  and  7  variables 
produced  extremely  encouraging  results  (see  Section  3  for  relevant  definitions). 
We  found  480  RotS  functions  on  7  variables  which  possess  resiliency  of  order 
1,  propagation  characteristics  of  order  1,  nonlinearity  56,  algebraic  degree  4 
and  maximum  absolute  value  in  autocorrelation  spectra  16.  Also  we  found  72 
RotS  functions  on  7  variables  which  possess  resiliency  of  order  2,  nonlinearity 
56,  algebraic  degree  4  and  maximum  absolute  value  in  autocorrelation  spectra 
16.  Functions  with  such  optimized  properties  were  not  known  earlier. 


2  Enumeration  of  Rotation  Symmetric  Boolean  Functions 


We  start  this  section  with  some  basic  technical  discussion.  It  is  clear  that 
\Gn(xi, . . .  ,xn)\  <  n.  For  the  case  \Gn{x\, . . . ,  xn)\  =  n,  we  call  that  the 
elements  of  Gn(x  1, . . .  ,xn)  form  a  long  cycle,  which  is  of  length  n.  On  the 
other  hand,  if  \Gn{x\, . . , ,  xn)\  <  n,  we  call  it  a  short  cycle,  which  is  of  length 
strictly  less  than  n.  As  example,  (74(1,  0,0,0),  (74(1,1,0,0),  (74(1, 1,1,0)  are 
long  cycles  (each  of  size  4),  whereas,  (74(0,  0,  0,  0),  Gb(l,  1, 1, 1)  (each  of  size 
1)  and  (74(1,0,1,0)  (of  size  2)  are  short  cycles.  Note  that  |Gn(0, . . . , 0)|  = 
\Gn(l, . . . ,  1)|  =  1,  for  any  n  >  1.  For  n  =  1,  Gb(0),  Gb(l)  are  two  long  cycles. 
However,  for  n  >  1,  Gn(0, . . . ,  0),  Gn(l, . . . ,  1)  are  always  short  cycles. 

It  turns  out  that  the  sequence  gn  counts  also  the  number  of  n-bead  necklaces 
with  2  colors  when  turning  over  is  not  allowed,  or  output  sequences  from  a 
simple  n-stage  cycling  shift  register,  or  binary  irreducible  polynomials  whose 
degree  divides  n  (see  [16]).  In  the  proof  of  our  first  result,  we  need  Burnside’s 
lemma  (which  in  fact  was  discovered  by  Frobenius). 

Lemma  2  (Burnside’s  lemma)  LetG  be  a  group  of  permutations  acting  on 
a  set  S.  Then  the  number  of  orbits  induced  on  S  is  given  by  At  XAsg 
where  fix  sip r)  =  {x  G  S  \  tt(x)  =  x}. 
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Theorem  3  gn  =  —  ^  4>(t)  2n^ ,  where  4>{t)  is  Euler’s  phi-function. 

^  t\n 


PROOF.  For  convenience,  we  provide  here  a  proof  (see  also  [16]).  Here  G  = 
{p\, . . .  ,  p™}  and  S  =  {0,  l}n.  To  use  Burnside’s  lemma  we  need  to  find  the 
number  of  fixed  points  of  pln ,  i  —  1 , ,n.  The  number  of  permutation  cycles 
of  pln  is  gcd(n,  i),  each  of  them  of  length  .  Observe  that  pln  has  order 

gcd"r)  ^ .  Since,  to  be  fixed  by  pln,  each  input  cycle  must  consist  of  all  0’s  or 
all  l’s,  we  get  that  the  number  of  fixed  points  of  pln  is  2scd^n,*\  Applying 
Burnside’s  lemma  we  obtain,  gn  =  1  E^Li  2gcd^n,i)  =  ^Efc|nE"gcd (n,i)=k2k  = 

i  2*  Ej, gciWt,,.!  1  =  i  <t>  (?)  2‘  =  i  E,|„  □ 

The  number  of  rotation  symmetric  functions  of  n  variables  is  29n.  There  are 
two  groups  Gn(0, . . . ,  0),  Gn(  1, . . . ,  1)  of  size  1.  Moreover,  we  know  that  all 
other  groups  have  size  <  n.  There  are  in  total  2"  tuples  in  Vn.  Thus  apart 
from  the  (0, . . . ,  0),  (1, . . . ,  1)  tuples,  there  are  at  least  groups.  Hence, 

9n  >  2”+^w~2.  Further,  for  n  prime,  gn  =  2"+2n~2. 

Corollary  4  For  prime  p,  gpa  =  p~a  I  2pa  +  y —  p*^1)2pa 

V  i  i 


PROOF.  Take  n  =  pa.  Any  divisor  of  such  an  n  is  of  the  form  p1,  0  < 
i  <  n.  Moreover,  c f>(pl )  =  p1  —  pl~l .  Applying  Theorem  3  we  obtain  gpa  = 
p~a  (2lpa  +  E“=i(p*  —  pl_1)2p“/pI^ ,  which  gives  the  corollary  (the  hrst  term  cor¬ 
responds  to  the  divisor  t  —  1  of  n) .  □ 


2. 1  Enumeration  of  long  cycles 


Concentrate  on  Gn{x i, . . .  ,xn),  where  Gn(x i, . . .  ,xn)  contains  exactly  n  ele¬ 
ments.  Let  hn  be  the  number  of  such  length  n  subsets,  i.e.,  the  number  of  long 
cycles.  Clearly  hn  <  gn.  We  will  provide  a  formula  for  hn. 

Let  l on  be  the  number  of  prime  factors  of  n,  and  n  =  pf1  ■  ■  ■  pfppp .  First  we  need 
a  few  technical  results. 

Lemma  5  If  gcd(i,  n)  =  d,  then  the  fixed  points  of  pln  are  exactly  the  fixed 
points  of  pd . 


PROOF.  Since,  gcd(n,  i)  =  ged (n,d)  =  d,  pln  and  have  the  same  number 
of  fixed  points.  Therefore,  it  suffices  to  show  that  the  fixed  points  of  are 
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also  fixed  points  of  pln.  Take  (xi, . . .  ,xn)  a  fixed  point  of  pd.  Let  i  =  di'.  We 
have 


Pn(x  l,---,Xn)  =Pn'(x  l,...,Xn)  =  p*(p*(.  .  .  p*(x i,  .  .  .  ,  X„)  .  .  .))  =  (xU...,Xn), 

where  the  composition  contains  il  number  of  p d  operations.  Thus,  (xi, . . . ,  xn) 
is  a  fixed  point  of  pln.  □ 

Lemma  6  If  a  <  b  and  p  \  n,  then  the  fixed  points  of  pdf  are  among  the  fixed 
points  of  pp  . 


PROOF.  Take  (xi, . . . ,  xn)  a  fixed  point  of  pdf .  We  need  to  show  that  it  is  a 
fixed  point  of  pvn  ,  as  well.  This  follows  from  pvn  (xi, . . . ,  xn)  =  pdf  (. . .  pff  (x ±, . . .  ,  xn 
(xi, ,  xn),  where  the  composition  contains  b  —  a  terms.  □ 

Let  p  q  be  prime  divisors  of  n,  and  a,  b  arbitrary  integers.  Denote  Fpa,  ¥qb, 
the  set  of  fixed  points  of  pdf ,  respectively,  p-f . 

Lemma  7  We  have  Fpa  P| IF^b  =  {(0, . . . ,  0),  (1, . . . ,  1)}. 


PROOF.  We  know  pn  has  only  two  obvious  fixed  points.  Assume  that  (xi, . . . ,  xn 
is  a  fixed  point  in  the  intersection,  which  is  neither  (0, . . . ,  0),  nor  (1, . . . ,  1). 

If  pqf(x  i,...,xn)  =  (xi,...,xn),  then  p~qb(x1,. . .  ,xn)  =  (xi,...,xn).  Since 
p  7^  q,  then  gcd(pa,  qb )  =  1,  therefore  there  exist  some  integers  A,  B ,  such  that 
Apa+Bqb  =  1.  Assume  A  >  0,  B  <  0.  Thus,  pf(x i, . . . ,  xn)  =  pfpa+Bqb(x i, . . . ,  xn) 
Pnpa(Pnq  (xi,...  ,  xn))  =  (xi, . . . ,  xn),  a  contradiction.  □ 


Theorem  8  We  have  (i)  hi  =  2, 


(ii)  If  n  =  pa,  p  prime ,  then  hpa  =  —  2n^d  —  ^ 


a,— i  2 pl 2 pl  1 


n 


particular,  if  a  —  l,  hp  — 


2P  —  2 
P 


d\n 


i=  1 


pi 


—  2.  In 


(in)  Let  n  =  pf  •  ■  -pdpn ,  Pi  ^  Pj  be  the  prime  factorization.  Then  hn  = 

1 


n 


Y.M  2-"-EE 


lOn  a,i  2PJi  —  2  Pi  1 


d\n 


i=l  j= 1 


Pi 


-  2,  if  un  >  2. 


PROOF.  It  is  easy  to  see  that  h\  =  2.  This  is  the  Case  (i).  Note  that 
Gn(x i, . . . ,  xn)  is  a  short  cycle,  if  and  only  if  there  is  some  proper  divisor  d  \  n, 
such  that  (xi, . . . ,  xn)  is  a  fixed  point  for  pdn.  From  the  previous  lemmata,  it 
suffices  to  consider  d  a  power  of  a  prime. 


Case  ( ii ).  LVn  =  1,  therefore  n  =  pa,  for  some  integer  a  and  prime  p.  We 
count  the  short  cycles  for  pff  by  looking  at  the  fixed  points  of  pP ,  0  <  i  <  a. 
Obviously,  we  have  fixed  points  only  for  pP ,  0  <  i  <  a,  which  are  all  fixed 
points  for  pff  ,  also. 

But  a  short  cycle  under  p\ f  is  a  long  cycle  under  pP ,  for  some  0  <  i  <  a  —  1. 
To  find  the  long  cycles  under  pf ,  we  take  the  hxed  points  of  pP ,  which  are 
not  hxed  points  of  piP  and  divide  by  the  length  pl  of  a  long  cycle  under  pP . 
Recall  that  the  number  of  hxed  points  of  p P  is  2P\  We  get  that  the  number 

2  px c2pl~ 1 

of  short  cycles  of  pn  is  2  +  YfiZi  - . - . 

pi 

ai 

Case  (in).  LUn  >  1.  Since  the  number  of  cycles  of  pn  (by  Lemma  7,  these 

Paj  Tg  2pi  -  2pi~1 

cycles  are  not  hxed  by  any  other  pn  ,j^i)  is  >  y - -■ - ,  we  obtain  that 

j  I  Pi 

2 pi  -  2P' 

the  total  number  of  short  cycles  is  2  +  J2f=i  J2 ,=i - - - •  The  number  of 

Pi 

short  cycles  is  to  be  subtracted.  Hence  the  proof  of  the  theorem.  □ 


2.2  Homogeneous  Rotation  Symmetric  Boolean  functions 


We  noted  already  that  for  RotS  Boolean  functions,  if  the  term  . . .  Xim 

is  present,  then  all  the  distinct  terms  of  the  form  pifx^x^  . . .  x*m)  are  also 
present  for  1  <  j  <  n.  Hence,  for  RotS  functions,  it  is  clear  that  some  mono¬ 
mials  of  the  same  degree  either  appear  or  do  not  appear  at  the  same  time. 
Now  we  concentrate  on  monomials  of  the  same  degree.  We  introduce  some 
notations  which  are  related  to  the  weight  of  the  binary  strings.  First  consider 
Gn(x i, . . . ,  xn),  where  wt(x i, . . .  ,xn)  is  exactly  w.  Note  that  in  this  way  we 
get  a  partition  over  the  n  bit  binary  strings  of  weight  vj  (total  number  ((”  j ) . 
Let  us  consider  that  the  number  of  such  partitions  is  gn>w.  Moreover,  let  hH:W 
be  the  number  of  distinct  sets  Gn(x i, . . . ,  xn),  where  wt(x i, . . . ,  xn)  =  w  and 
\Gn(xi, . . . ,  Xn)\  =  n,  that  is,  the  number  of  long  cycles  of  weight  w.  Clearly, 
hn,w  ^  9n,w 

We  will  write  k\'m,  if  k,  (1  <  k  <  m)  is  a  proper  divisor  of  m. 


Theorem  9  We  have 


if')  9n,w 
(^)  9n,w 


if"), 

n\w 


if  gcd(n,  w) 


1.  Also,  gnfl  9n,n  1- 


+  ^2  <  n' 

k\'  gcd(n,w) 
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PROOF.  First,  we  make  the  observation  that  gn,w  is  the  sum  between  the 
number  of  long  and  short  cycles.  Obviously,  x  =  (xi,...,x„)  is  part  of  a 
short  cycle,  if  and  only  if  there  is  a  minimal  block  b  =  [xi,  X2,  ■  ■  ■ ,  ]  which  by 
repeating  itself  (say,  k  times)  covers  x,  that  is  x  =  bbb . . ..  Furthermore,  k 
divides  w,  so  the  weight  of  b  is  Since  x  is  covered  by  concatenating  k  copies 
of  b ,  it  follows  that  k  divides  n,  as  well.  This  gives  that  there  can  not  be  any 
short  cycle  if  gcd(n,  w)  —  1  and  hence  we  obtain  the  first  claim  of  (i).  If  w  —  0 
(respectively  w  —  n),  then  the  only  element  x  of  such  a  weight  is  (0, . . . ,  0) 
(respectively  (1, . . . ,  1)),  so  gn> 0  =  gn,n  =  1-  The  proof  of  ( i )  is  completed. 


Assume  1  <  w  <  n.  Using  the  same  observation  as  above,  we  note  that 
(xi, . . . ,  xn)  is  part  of  a  short  cycle  under  gn,  if  and  only  if  there  is  a  minimal 
block  b,  of  length  n/k,  where  k  \'  gcd(n,  w),  which  renders  x  by  concatenation 
of  k  copies  of  b.  Since  b  is  minimal,  then  it  must  be  a  full  cycle  under  <7*,  of 

weight  — .  Thus, 
k 

ff  short  cycles  =  ^  (1) 

k  \'  gcd (n,w) 


Let  L  (respectively  S)  be  the  sets  of  elements  in  Vn  of  weight  w,  which  are  part 
of  long  (respectively  short)  cycles.  Recall  that  the  total  number  of  elements 

of  weight  w  is  ^  ^ .  Therefore,  \L\  =  —  \S\.  The  number  of  long  cycles  is 

-\L\.  Moreover,  each  short  cycle  under  gn  of  weight  w  is  the  concatenation  of 
k  copies  (for  some  value  of  k  |/gcd(n,iy))  of  a  long  cycle  under  g»  of  weight  '-f  . 

W  Tl 

Since  in  each  long  cycle  under  ga  of  weight  —  there  are  —  elements,  it  follows 

k  k  k 

that 

1  ( n\  1 


#  long  cycles  =  — 

n\w 


X  \  '  Tl 

—  /  —  ■  riii  1 

,,  U  k  ’  1 

k  |'  gcd(n,K;) 


(2) 


Putting  together  1  and  2,  we  obtain  (ii).  □ 


Recall  that  gn.w  is  the  number  of  distinct  cycles  of  weight  w.  This  means  that 
the  degree  w  monomials  can  be  divided  in  gn>w  different  cycles.  We  obtain 

Corollary  10  Consider  n-variable  RotS  Boolean  functions.  The  number  of 
(i)  degree  w  homogeneous  functions  is  29n’w  —  l,  (ii)  the  number  of  degree  w 
functions  is  ( 29n’w  —  l)2^«=o  (Jn-'-  and  (in)  the  number  of  functions  with  degree 
at  most  w  is  2^i=o9n’i . 


The  result  of  Corollary  10  will  be  used  in  Subsection  3.1  as  it  reduces  the 
search  space  of  RotS  bent  functions. 

Tl  —  1 

Let  us  consider  the  case  for  w  =  2.  If  n  is  odd,  then  gn  2  =  — - — .  If  n  is  even, 

\_  f  f  Ti\  Tl  \  Tl 

9n, 2  =  “  I  I  2  )  ~  2  '  h SillCe  =  -1’  We  get  9n, 2  =  ^ '  ThllS  tllere 
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are  2^J  homogeneous  quadratic  RotS  Boolean  functions. 


Let  us  consider  the  case  of  degree  w  —  3.  If  3  does  not  divide  n,  then  gn  3  = 

1  (n\  (n  —  l)(n  —  2)  . .  _  . ,  1  ( (n\ 

3  " 


n 


l)(n  —  2)  1 

- .  If  n  is  divisible  by  3,  then  gn  3  =  — 

6  ’  n 


1.  Now  /i«i  =  1.  Hence,  gn  3  =  - 

33  n 


'  n' 

,3; 


-5 


n(n  —  3) 

6 


+  1.  The 


number  of  homogeneous  degree  3  functions  is  29n-3 . 


£5  Solving  a  recurrence  relation 


Since  gn,w  depends  on  values  of  h.t.  we  shall  display  now  an  exact  formula  for 
these  values.  Let  us  recapitulate  the  Equation  2  in  the  proof  of  Theorem  9, 
which  is  the  recurrence  relation  for  hHtW. 


hn..w 


n 


n\w , 


1 

n 


E 


k  \  f  gcd (n,w) 


n  r 

—  •  flu  H. 

k  k  ’ k 


(3) 


Let  n,  w  be  such  that  gcd(n,  w)  —  1  and  d  =  nt=i  Pj 3 ,  Pj  primes.  With  n,  w,  d 


fixed,  let  &air..,Qt  = 


'nuU  py 

^uUp? 


Theorem  11  We  have 


hnd,wd 


nd 


at— H 


(4) 


PROOF.  We  prove  the  assertion  by  induction  on  a  a  =  0,  or  a  = 

3= 1 

1,  Equation  3  shows  that  hn,)W  =  4^,  respectively,  hpn:PW  =  ±  ((^)  -(”)), 
for  some  prime  d  =  p. 

Now,  we  need  to  show  the  induction  step.  We  consider  two  cases:  Case  1:  all 
at  =  1;  Case  2:  there  exists  some  i  with  a.;  >  2. 


We  take  Case  1  first.  Let  d  =  Yll=2Pi-  Any  divisor  k  \'d,  k  ^  d,  is  either  p1,  k, 
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or  kpi,  where  k  \  d,  k  ^  1.  Using  this  observation  together  with  3,  we  obtain 
'  nd\  ,  ,  rid 


11  l  ’  v~v  i  v  >  i  tui  j  v  >  rid  nd  , 

Tid  *  It yid  yjd  —  I  I  /  ~ =  find  wd  /  =  n  nd  wd  ft  nd  wd 

-k\tt^ik  k\it^kvi  Spi’Spi  Pi  pi,pi 


yWdj 

( nd ^ 

iwdi 


(5) 


E  nspihn-spi  ,wspi  E  nshv 

s|d,  s^d  s\d,  s^d 


Tidhnci,W(i 


Any  divisor  s  of  d  is  of  the  form  s  =  with  0  <  at  <  1  (2  <  i  <  t). 

Moreover,  using  the  induction  assumption  (with  s  ^  d) 


nspi  •  hnspiwspi  Y  (  (  1)^J  1  6x_j1; 

LiE 


Oil— 12,’ 


—  E  (  — 1)^-2%  ^1,02-12,...  —  E  (  — l)E-2,J&o,a2  -i 

0<i2,...<l  0<i2,---<l 

ns  •  hng  Wg  Y  (  (  l)^j— 2  AgiQ2_j2] 

o<i2,...<i 

nd-hnatWd=  E  (-1)'L'J'=2*i6o,a2-»2)... 

0<i2r..<l 

which  implies  nspi  •  hn7spi )U,gPl  +  ns  •  =  Eo<i2,..<i(_1)^=2*JEa2-i2,..- 

Therefore,  we  get 


nd  •  hnd,wd 


iwd) 


-  E  E  (  1)  2  b\  Q,2  —  i2,... 


0<a2,...<l  0<i2,...<l 

not  all  1 


—  E  (  —  l)^-'j-2^6o,a2-i2,...  — 

0<i2,...<l 

_  E  E  (“  l)E=2*-76l,a2-i2 +  E  (:^l)E=2*J6i)a2-j2,.. 


0<a2,--<l  0<i2,...<l 

•\t 


r_-nEL2 


-  E  (-1)^i-2^0,a2-i2,..  -  E  (_1)^"2ij&ai-il,a2-*2,... 

0<*2,.-<i  0<ii,...<l 


(6) 


since  any  term  in  the  first  sum  is  cancelled  by  another:  we  have  a  pattern 
similar  to  that  of  the  inclusion-exclusion  principle  (it  is  even  more  apparent 
what  happens  in  the  next  argument). 

The  computations  are  similar  in  Case  2.  Without  loss  of  generality  we  may 

assume  that  a±  >  2.  Let  d  =  Note  that  as  special  cases, 

Pi 


h 


npr  ,wpr 


l 

npr 


KE) 

\wpr  1  J  J 


(for  t  =  1), 


12 


and 


h 


nprqs  ,wprqs 


(pr,s  brs— i  br— i  s  +  br—i  s— i)  (for  t  2). 

npr  qs 


Now  let  us  present  the  proof.  Any  divisor  k  \'d  ( k  ^  d )  is  of  the  form  p\k, 
i  =  1,2, ,  Gp,  where  k  \  d,  such  that  if  i  =  a±,  then  k  ^  d.  Using  3  and  the 
induction  hypothesis,  we  get  (X/  denotes  the  sum  with  the  extra  condition 
that  if  i  —  0,  then  k  ^  1,  and  if  i  =  a±,  then  k  ^  d), 


nd  ■  hnd,wd  — 


'  nd 


ai 


. ,  nd 


_ \ ' \ '  z 

.  /  /  ■  —  it  nd  wd 

wd )  p\k  v\ k  ’ p\ k 


/  ruR 
Kwd) 


1=0  k\d 

CL\  —  1 


-  Y  Y  nsPih 


np-^s^wp^s 


—  Y  nPV  sh 

s|d,  s^d 


a  i  _  a  i  _ 

npp  SjWpp  S 


=  b, 


j— 0  s|d 

Y  [  Y  (  —  I)^fc=2*fc^,a2-i2,... 

j=l  \0<i2,...<l  0<j2,...<l 

•\t  .  _  V  ~\ t. 


Y  (-1  )^=*ikbr 

Z2,...<1 

Y  (-l)^=2ij&0,a2-i2,...  +  Y  (-l)^i=2?J6a  i,a2-i2, 

0<i2,...<l  0<i2,...<l 

H  (-l)^=ll^ai  -<i . «*-»*  • 

(7) 


This  proves  Case  2  and  hence  the  proof  is  completed.  □ 


3  Rotation  symmetric  functions  with  cryptographic  significance 


With  the  enumeration  results  for  RotS  Boolean  functions  in  the  previous  sec¬ 
tion,  the  search  space  is  reduced  to  a  large  extent  and  it  seems  possible  to 
search  this  space  to  check  whether  there  exist  cryptographically  interesting 
Boolean  functions.  The  results  show  that  the  RotS  Boolean  functions  are  rich 
in  this  context.  For  detailed  discussion  about  these  cryptographic  properties 
see  [14]  and  the  references  therein.  Before  stating  the  results  we  first  need  to 
present  some  definitions. 

Let  x  =  (op, . . . ,  xn )  and  u  =  (up, . . . ,  un )  in  Vn  and 


X  *  UJ  —  +  .  .  .  +  XnLOn. 

Let  f(x)  be  a  Boolean  function  on  n  variables.  Then  the  Walsh  transform  of 
f(x)  is  a  real  valued  function  over  Vn  that  can  be  defined  as 

w/M  =  y 

X  eVn 


l,a2~ ^2,- 
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Note  that  Wf(u>)  =  wd(f,l0J),  where  l w  denotes  the  linear  function  on  n  vari¬ 
ables  given  by  lu(x)  —  u>  ■  x. 

The  following  characterization  of  correlation  immune  functions  has  been  pre¬ 
sented  in  [7].  A  function  f(x i, . . .  ,xn)  is  m-th  order  correlation  immune  (Cl) 
if  and  only  if  its  Walsh  transform  satisfies  Wf(u)  =  0,  for  1  <  wt( u)  <  m. 
Note  that  /  is  balanced  if  and  only  if  Wf(0)  =  0.  Balanced  m-th  order 
correlation  immune  functions  are  called  m-resilient  functions.  Thus,  a  func¬ 
tion  f(x\, . . . ,  xn)  is  m-resilient  if  and  only  if  its  Walsh  transform  satisfies 
Wf(u>)  =  0,  for  0  <  wt(uj)  <  m. 

By  an  (n,  m,  d,  u )  function  we  denote  an  n- variable,  m-resilient  function  with 
degree  d  and  nonlinearity  u.  By  (n,  0,  d,  u )  function  we  mean  a  balanced  71- 
variable  function  with  degree  d  and  nonlinearity  u.  In  the  above  notation  a 
component  is  replaced  by  a  £— ’,  if  it  is  not  specified,  e.g.,  (n,  m,  —  ,u),  if  the 
degree  is  not  specified. 

Define  A f(a)  =  wd(f(x),f(x  ©  a)),  the  autocorrelation  value  of  /  with  re¬ 
spect  to  the  vector  a.  Now  we  define  the  Propagation  Characteristics  of  a 
Boolean  function  [11],  An  n- variable  function  /  is  said  to  satisfy  PC(k ),  if 
A f(a)  =  0  for  any  a  such  that  1  <  wt(a)  <  k.  The  absolute  indicator  is 
A /  =  maxa£VniQ/0  |A/(a)|. 

3.1  Bent  Functions 


Bent  functions  are  extremely  interesting  combinatorial  objects,  which  were 
introduced  in  [13].  Bent  functions  on  n  variables  (n  even)  possess  the  maximum 
possible  nonlinearity  and  the  Walsh  spectra  contain  only  the  values  ±2  2. 
Further  these  functions  are  of  algebraic  degree  at  most  |  for  n  >  2. 

We  now  consider  the  RotS  bent  functions.  Consider  that  there  exists  a  RotS 
bent  function  /  on  n  variables  with  /( 0,0, . . . ,  0)  =  0  and  the  ANF  of  the 
function  is  free  from  the  terms  X\  +  . .  .  +  xn.  In  that  case,  l  +  f,Xi  +  . .  .+xn  +  f 
and  I+X1  +  . . . +xn+f  are  also  RotS  bent  functions.  Thus  if  we  count  the  RotS 
bent  functions  with  /( 0,  0, . . . ,  0)  =  0  and  free  from  the  terms  x\  +  . . .  +  xn, 
then  multiplying  that  by  4  we  get  the  total  count. 

Note  that  rotation  symmetric  bent  functions  upto  8-variables  have  already 
been  enumerated  in  [6].  We  here  explain  those  results  once  more  and  then 
study  the  10-variable  case  also. 

We  know  that  g4  =  6  and  g6  =  14.  Thus  we  can  easily  go  for  exhaustive  search. 
For  4  variables,  there  are  8  such  functions,  and  they  are  represented  by  the 
SANF  X\X3  and  X1X2  +  Xix3. 
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For  6  variables,  there  are  48  RotS  bent  functions,  represented  by  the  following 
12  functions  in  SANF  : 


X1X4, 

X\X3  +  X1X4  +  X1X3X4, 

X3X3  +  XiX2Xz  +  Xix4  +  2:12:32:4  +  2:12:32:5, 
2:12:2  +  2:12:4  +  2:12:32:4, 

2:12:2  +  2:12:22:3  +  2:12:4  +  2:12:32:4  +  2:12:32:5, 
2:12:2  +  2:12:3  +  X1X4, 


2:12:22:3  +  2:12:4  +  2:12:32:5, 

2:12:3  +  2:12:4  +  X1X2X4, 

2:12:3  +  2:12:22:3  +  2:12:4  +  2:12:22:4  +  2:12:32:5 
2:12:2  +  2:12:4  +  2:12:22:4, 

2:12:2  +  XiX2X3  +  2:12:4  +  XiX2XA  +  2:12:32:5 
2:12:2  +  2:12:3  +  XiX2X3  +  2:12:4  +  XiX3X5. 


We  also  have  that  g8  =  36.  Thus  the  search  over  this  space  needs  checking  236 
options,  which  is  computationally  complex.  We  reduce  this  space  further  using 
the  results  of  Theorem  9  and  Corollary  10.  First  of  all  we  can  always  assign  0 
value  corresponding  to  g8.o  many  group  which  forces  /( 0,  0, . . . ,  0)  =  0  and  g8,\ 
many  group  which  forces  that  the  ANF  is  free  from  the  terms  X\  + . .  .  +  xn.  We 
find  the  count  of  such  bent  functions  and  then  multiply  by  4  to  get  the  total 
count.  Further  we  know  that  bent  functions  are  of  algebraic  degree  at  most 
|  for  n  >  2.  Thus  we  can  easily  discard  5  +  gs,6  +  <7s,7  +  <78,8  many  groups 
as  all  the  monomials  containing  more  than  4  variables  will  not  exist.  So  the 
number  of  groups  where  we  have  to  assign  0  or  1  values  is  g82  +  <73,3  +  <78,4  =  21 
only.  Thus  we  need  to  search  a  space  of  221  RotS  functions  on  8- variables  to 
get  the  complete  list  of  RotS  bent  functions  on  8  variables.  It  took  6  hours  on 
a  Pentium  1.6  GHz  computer  with  256  MB  RAM  using  Linux  7.2  operating 
system.  The  program  has  been  written  in  C.  We  found  that  there  are  4  • 
3776  AotS”  bent  functions  on  8  variables  and  the  following  8  are  homogeneous, 
expressed  in  SANF  : 


2:4X5;  X1X4  +  X1X5;  X1X3  +  X1X5;  X1X3  +  X1X4  +  X1X5;  X1X2  +  X1X5; 
XiX2  +  X1X4  +  X1X5;  XiX2  +  X1X3  +  X1X5;  XiX2  +  X1X3  +  X1X4  +  X1X5. 


We  could  not  exhaustively  search  beyond  8  variable  functions.  This  is  because, 
for  10  variables,  g±o  =  108  and  we  need  to  consider  functions  up  to  degree  5  and 
hence  <7io,2  +  <7io,3  +  <7io,4  +  <7io,5  =  65  groups  for  searching  bent  functions,  which 
needs  checking  of  265  functions.  Homogeneous  bent  functions  are  of  interest  in 
literature  [2,3,12],  Though  we  could  not  search  the  complete  space  of  RotS* bent 
functions  on  10  variables,  we  could  search  the  homogeneous  ones.  The  SANF  of 
degree  2  homogeneous  10-variable  RotS*  bent  functions  are:  X1X6,  X1X5  +  X1X6, 

XiX4  +  XiX6,  X\X3  T  XiXg,  X\X3  T  X1X4  T  X\Xq,  X1X3 +  X1X4 +  X1X5 +XiX6,  X1X2  + 
XiX6,  X1X2  +  X1X5  +  XiX6,  X1X2  +  X1X4  +  X1X5  +  XiX6,  X1X2  +  X1X3  +  X1X5  +  XiX6, 
X1X2  +  X1X3  +  X1X4  +  X]X6,  X1X2  +  X1X3  +  X1X4  +  X1X5  +  X\Xq. 
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Note  that  g  10,3  =  12,  (710,4  =  22,  and  (710,5  =  26.  Thus  it  is  possible  to  search 
for  10- variable  homogeneous  RotS  bent  functions  with  degree  3,  4,  and  5. 
Unfortunately  we  could  not  find  any  evidence  of  homogeneous  bent  functions 
there.  Thus  we  make  the  following  conjecture. 

Conjecture  12  There  are  no  homogeneous  RotS  bent  functions  of  degree  >  2. 

Somewhat  related  to  our  conjecture,  Xia  et.  al.  [17]  showed  that  there  are  no 
homogeneous  bent  functions  of  degree  n  in  2 n  variables,  for  n  >  3. 


3.2  Resiliency  and  Propagation  Characteristics 


For  an  (n,  m,  d,  u )  function,  m+d  <  n  —  1  [15]  and  u  <  2n_1  —  2m+1+l  2  1  [1], 

From  cryptographic  point  of  view,  it  is  important  to  find  functions  attaining 
these  bounds.  Further  it  is  important  to  find  functions  with  PC(k),  where 
k  is  high.  Low  value  of  Af  is  also  essential.  These  functions  have  important 
applications  in  S-boxes  [11].  So  far,  for  odd  n  <  15,  the  lowest  possible  A / 

TL-\- 1 

value  achieved  for  balanced  functions  is  2  “2“.  We  found  the  evidence  of  such 
very  important  examples  in  the  RotS  Boolean  functions  class. 

Since  we  find  that  the  space  of  RotS  Boolean  functions  is  much  smaller  than 
the  complete  space  of  Boolean  functions,  we  can  successfully  search  that  space 
for  small  values  of  n.  In  fact,  we  did  the  complete  search  for  n  =  5,  6,  7  and 
found  the  following  interesting  results.  We  present  the  functions  in  SANF  and 
with  /(0,0,...,0)  =  0.  The  properties  balancedness,  correlation  immunity, 
resiliency,  nonlinearity,  algebraic  degree,  A f  and  propagation  characteristics 
of  a  function  /  stay  preserved  for  the  function  1  +  /  also.  Hence  we  count  the 
functions  with  /(0,  0, . . . ,  0)  =  0  and  double  the  count  value  to  give  the  exact 
number  of  such  functions. 


3.2.1  5-variable 

There  are  eight  (5, 1,  3, 12)  functions,  X1X2+X1X3+X1X2X 4,  xiX2+x\x3+x\X2X3) 
X\  +  X\X3  +  X1X2X4,  X\  +  X1X2  +  X1X2X3  and  their  complements.  Most  interest¬ 
ingly,  they  possess  the  theoretically  best  possible  Af  =  8  value.  That  is,  these 
functions  provide  provably  best  possible  parameters  in  terms  of  nonlinearity, 
resiliency,  algebraic  degree  and  autocorrelation  values.  However,  there  are  no 
(5,  2,  2,  8)  RotS  function. 

All  the  5-variable  functions,  with  maximum  possible  nonlinearity  12,  that 
satisfy  propagation  characteristics  are  PC(4).  There  are  12  functions  which 
are  PC( 4)  and  of  nonlinearity  12.  The  Af  value  for  all  of  them  is  32.  The 
functions  with  /( 0)  =  0  are  XiX3,  x±x2,  X\  +  XiX2  +  x \ x3  (balanced)  and 
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X\X2  +  Xix^i  X\  +  2:10:3  and  x\  +  2:12:2  (unbalanced). 


3.2.2  6-variable 

There  are  fifty  two  (6,1,— ,24)  RotS  functions.  The  algebraic  degrees  of  the 
functions  will  be  revealed  from  the  SANF  presented  in  Table  3.  We  present 
the  26  functions  with  /( 0)  =  0.  The  others  are  their  complements.  The  * 
marked  functions  satisfy  the  PC(  1)  property  and  the  **  marked  functions 
satisfy  PC( 2)  property  in  Table  3.  There  are  no  (6,2,3,24)  and  (6,3,2,16) 
RotS  functions. 


Table  3 

The  (6, 1,  — ,  24)  RotS  functions 

There  are  2  •  56  balanced  PC(  1)  functions  with  nonlinearity  24.  Considering 
/( 0)  =  0,  out  of  the  56  functions,  there  are  16  functions  with  algebraic  degree 
5  and  Af  =  16.  One  example  is  x4x2x3  +  2:12:4  +  x4x3x4  +  x4x3x5  +  x4x2x3x5  + 

X4X2X4X3  +  XiX2X3X4Xs . 


There  are  2  •  6  balanced  PC( 2)  functions  with  nonlinearity  24.  Out  of  the  6 
functions  with  /( 0)  =  0,  there  are  two  functions  with  algebraic  degree  5  and 
A f  —  40,  and  one  of  them  is  x4x2x3  +  2:12:4  +  x4x2x3x4  +  x4x3x5  +  x4x2x4x5  + 
x4x2x3x4x5  and  2:12:3  +  2:12:4  +  x4x2x4  +  x4x3x4  +  x4x2x3x4  +  x4x2x4x5  + 
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x4x2x3x4x3.  The  other  three  are  of  A f  —  64. 


There  are  2  •  16  unbalanced  PC( 2)  functions  with  nonlinearity  as  high  as  26. 
The  functions  are  only  2  away  from  balancedness,  i.e.,  they  are  of  weight  either 
30  or  34  (weight  of  a  6- variable  balanced  function  is  32).  Now  we  consider  the 
16  functions  with  /( 0)  =  0.  Out  of  these,  8  have  degree  4  and  A/  =  16,  (one 
example  is  X1X2  +  x4X2X4  +  x\X2X3x4  +  x4x3x3  +  x±X2X4x3)  and  8  have  degree 
5  and  Af  =  24,  (one  example  is  x4x2  +  x4x 4  +  x4x2x4  +  x4x3x4  +  x4x2x3x4  + 

XiX2X3X5  +  XiX2X3X4X5). 


There  are  2  •  104  unbalanced  PC(1)  functions  with  nonlinearity  26.  Now  we 
consider  the  104  functions  with  /( 0)  =  0.  Out  of  these,  16  have  degree  5 
and  Af  =  8.  Moreover,  four  of  these  are  only  2  away  from  balancedness  (one 
example  x  1  x4  +  x4x3x5  +  x4x2x3x5  +  xix2x3x4x5). 


3.2.3  7-variable 

There  are  2-856  number  of  (7, 1,  —  ,56)  functions  (856  functions  with  /( 0)  =  0 
and  their  complements).  Now  we  only  consider  the  count  of  the  functions 
with  /( 0)  =  0.  There  are  42  number  of  (7,1,5,56)  functions  with  Af  =  16. 
One  example  is  the  function  x4x3  +  x  \  x4  +  X\X3x4  +  x4x2x4x5  +  x4x2x4x§  + 

XiX2X3X4Xq,  +  X4X2X3X3Xq. 


There  are  240  number  of  (7, 1,4,  56)  functions  with  Af  =  16  which  also  possess 
the  PC(  1)  property.  One  example  is  the  function  x4X2X3  +  x4x4  +  x4X2X3x3  + 
x4x3x4x5  +  XiX2x4Xq.  Deterministic  construction  of  these  functions  are  com- 
binatorially  challenging  and  still  not  known. 

Construction  of  7-variable,  2-resilient  functions  with  nonlinearity  56  has  been 
considered  as  one  of  the  extremely  hard  combinatorial  problem.  So  far  there 
is  no  existing  deterministic  construction  method  to  construct  these  functions. 
These  functions  were  found  by  search  methods  earlier  [4,9].  Running  a  com¬ 
puter  program,  we  obtained  that  there  are  2-36  number  of  (7,  2, 4,  56)  functions 
in  the  RotS  class.  They  are  listed  in  Table  4.  We  mention  that  all  of  these  func¬ 
tions  have  Af  —  16,  which  is  better  than  the  value  24  presented  in  [4].  In  fact, 
the  (7,  2, 4,  56)  function  with  Af  =  16  provides  best  possible  parameters  for  a 
7-variable  Boolean  function. 


4  Conclusion 


In  this  paper  we  investigated  rotation  symmetric  Boolean  functions.  We  pro¬ 
vide  complete  enumeration  results  for  these  functions  including  the  number  of 
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X1X3  +  x\x 4  +  XIX3X4  +  XIX2X3X4  +  XIX2X5  +  XIX2X3X5  +  X1X2X4X5 

X1X2  +  X1X2X3  +  XIX4  +  X1X2X4  +  X1X2X3X4  +  XIX3X4X5  +  X1X2X4X6 

xiX2  +  x±X3  +  x\X2X3  +  X1X2X4  +  X1X3X4  +  X1X2X3X4  +  X1X3X5  +  X1X2X4X5  +  XIX3X4X5 

x\  +  x\X2X3  +  X1X4  +  xiX2^4  +  XIX2X3X4  +  XIX2X5  +  XIX3X5  +  X1X2X3X5  +  XIX2X4X6 

xi  +  XIX3  +  xi X2^3  +  XIX2X4  +  xi X2X3X4  +  XIX2X5  +  XIX3X5  +  X1X2X3X5  +  XIX2X4X5 
x\  +  X1X2  +  XIX2X3X4  +  XIX2X3X5  +  XIX2X4X5 


Table  4 

The  (7,2,4,56)  RotS  functions. 


such  functions  with  specific  degree.  Our  results  show  that  the  search  space  of 
rotation  symmetric  functions  is  much  smaller  compared  to  the  complete  space 
of  Boolean  functions  and  so  we  were  able  to  do  some  experiments  on  this  class 
of  functions.  We  studied  the  rotation  symmetric  bent  functions  completely  up 
to  8  variables.  Further,  we  observed  that  up  to  10  variables,  there  is  no  homo¬ 
geneous  rotation  symmetric  bent  function  of  degree  >  2.  It  is  an  important 
open  question  to  settle  the  count  of  rotation  symmetric  bent  functions.  We 
have  also  checked  the  cryptographic  properties  of  rotation  symmetric  func¬ 
tions  up  to  7  variables.  Getting  theoretical  constructions  of  these  functions 
instead  of  search  is  an  interesting  research  problem.  Moreover,  any  theoretical 
advancement  in  this  direction  can  be  used  to  find  cryptographically  significant 
functions  on  higher  number  of  variables. 
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